Browse Prior Art Database

Policy-Based Protection for Computer Systems From Viruses and Worms

IP.com Disclosure Number: IPCOM000030255D
Original Publication Date: 2004-Aug-03
Included in the Prior Art Database: 2004-Aug-03
Document File: 2 page(s) / 51K

Publishing Venue

IBM

Abstract

Mal-ware and virus software presents a constant threat to computer systems. Current solutions to protect a computer system consist of scanning and monitoring filesystem input-output streams for known virus signatures. The problem with this approach is that in order to fend-off a malware attack all computers need to be updated with the virus signatures of all existing malware. As a result, even if a new malware software exploits a computer system in the same fashion as known malware, computer systems cannot be protected against its attack unless its signature is compiled and distributed. Core idea of this disclosure is to use behavioral profiling to assess the risks posed by particular executable(s) and creating a policy set representing malware behaviour. By monitoring operations on a given computer system and comparing them against such policy set, malware infection and propagation can be caught irrespective of their implementation details.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

Policy-Based Protection for Computer Systems From Viruses and Worms

Current solutions to protect a comuter system from malware depend on verifying executable code against known malware signatures. In contrast, this invention proposes a method to look for behavioral patterns of execuatable code and compare them against a policy set. As a result this method protects a computer system against loopholes and attack patterns independent of the size and form that viruses or malware take as computer executable program.

The set of policies are predetermined based on safe and unsafe system operations such as, filesystem operations, registry updates etc. Some examples of unsafe operations: 1) Program other than ftp.exe initiating an ftp session with remote system,

2) Microsoft Outlook editing Windows Registry entries

3) IIS overwriting C:\WINNT\System32 directory executable

Policies and allowable operations can be organized in tuples such as < user : program : path :capabilities>. As each operation begins, the system would predict outcome, and consult the allowable policy list, to make a decison that either lets the operation to completion or requests user-input or blocks the operation as specified in the policy.

The basic idea is to identify mechanisms that viruses and worms use to infect a computer system and then design the system to monitor program behaviour for these action patterns. Such a system will mostly be implemented as a module in the operating ystem.

Following is a set of policies to protect a system from most common infection mechanisms used by mal-ware:
1) Policies to block mal-ware infection through web-sites and email: Description: Do not let the Mail programs (Outlook, Lotus Notes etc) and web browsers (IE, Mozilla, Netscape) to write...